The Project Honeypot has an ample file on it, of course. Ukrainian harvester, first seen about two years ago, last seen this week, before that straight spammer for about four years with a list of (mostly Korean) associated mail servers a mile long, etcetera.

So... what does it do ? Let's see.

$ wc -l trilema-apr2016.txt
2097579 trilema-apr2016.txt

$ grep -c "91.200.12.73" trilema-apr2016.txt
468

If you think that there's tens of thousands of these, suddenly logfiles a coupla million lines long doesn't sound like much, you know ? Anyway, let's try a narrative.

So, on March 31st at 8:16:30 the Tireless Bot loads trilema.com/climax coming from nowhere and claiming to be running Chromei. At 9:23:25 it loads An era ends today. A new era starts today. coming from http://trilema.com/ which is a place it's never been. A second later it tries to post a commentii, and two seconds later it reloads the page.

Then at 9:25:34 goes back to Climax, and 09:29:24 it's back on the page it tried to spam. At no point during all this does it load any of the page design elements or anything. Then at 11:10:17 back on Climax, and at 11:14:21 back on An era ends today. Then same thing, 12:53:33 / 13:00:38.iii

Then, out of character, loads Awstats and stuff at 13:49:21, still calling itself Chrome and still coming from http://trilema.com ; and at 13:49:22 tries to post (still as "PHP/5.2.31"), and then checks. Twice, this time : once at 13:49:24 still as "PHP/5.2.31", then once more at 13:53:47, this time back to being Chrome. Then at 14:41:32 checks the previous attempt once more, and at 15:33:49, 17:17:47, and 19:03:54 checks this attempt. By 22:19:14 it moves on to MPEx - Status Report, where it tries to send a comment at 22:19:15 and then checks twice (at 22:19:16 as "PHP/5.3.56", at 22:21:52 as Chrome). And then moves back to Climax at 23:13:32, which it has time to try and post to before the day is out, in the usual manner.

This much brings us to the end of March, you see ? There's still all of April ahead of us! Out of curiosity I checked to see why its attempts to post fail. I found the IP blacklisted in my custom tailored antispam system in 2014iv! So no, its efforts didn't start in March current, nor in March last.

The attempts continue unabated, with variations in the PHP version installed (so far we've seen 5.2.31 and 5.3.56, but there's also 5.2.53, 5.3.18, 5.3.93, 5.2.05, 5.3.85, 5.3.64, 5.2.61, 5.2.70, 5.3.76, 5.2.83, 5.3.86, 5.2.90 and so on and so forth) but little variation in the user agent, until on April 9th it becomes "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.3.4000 Chrome/30.0.1599.101 Safari/537.36". You know, the "cloud browser", which apparently sucks because on April 11 we move on to "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" which turns to rv:34.0 within hours. We're then happy with this until the next day, when upgrading to rv:35.0 is de rigueur. Imagine the horror of this upgrade cycle, even the spammers pretending to be using the shit are stuck constantly modifying strings! Yet oddly enough, through thick and thin 20100101 stays 2010101.

This version serves us well until the 13th, on which it receives an adition : "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 AlexaToolbar/alxf-2.21"v. The Alexa toolbar nominally stays until April 14th (no doubt greatly if nominally improving the overall relevancy and pertinence of yet another Amazon service), at which point we're again upgrading, this time to "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" which in turn changes to "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" on the 18th and so on and so on and so on and so on AND SO ON. And so on.

By April 19th the Tireless Bot is still checking the Awstats article, who knows, maybe, and it's still trying to leave comments, this time on Five bucks for great justice. Who knows, maybe that one works. And if it doesn't - all the better, more stuff to check anyway. Same way as with any bureaucracy, amirite ?

Here's the source for your files, and remember you must have been amused as per Regulations of Insistence and Artificial Cognitive Products #574 dash W. Don't forget to leave your green copy of lulz with the girl at the entrance and remember to mail the crossword puzzle variant on the mauve (not the purple!) paper sometime before the cutoff (but not after the other cutoff!!1). Thank you.

It comes from 89.34.126.145 which is actually a fixed cable address in Galati, Romania so for all we know it could even be an actual granny with TWO versions of something called the "Dealio Toolbar". The only strange is that the same IP identifies the running browser as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Dealio Toolbar 3.8.85)" at 03:13:22 ; as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; Crazy Browser 5.3.58; Dealio Toolbar 3.4.42; Dealio Toolbar 2.3.65; Alexa Toolbar)" at 3:13:22 and as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Dealio Toolbar 3.8.85)" at the same 3:13:22 ; then as "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; MSN Optimized; GB; ZangoToolbar 6.5.14; .NET CLR 5.9.70)" at 3:13:23. Seems a little rich, doesn't it ?

Especially as we've earlier that same day (April 6th) seen this exact IP claiming to be "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36" or doing strange like